Active Directory: Persistence, Domination, and Kerberos Forgery

Danger

Executive Summary: Persistence and domination attacks represent the “Game Over” phase of a network intrusion. By exploiting Kerberos and Active Directory replication mechanisms, an attacker can forge identity proofs at will, bypass Domain Controllers, and maintain access for years.

1. DCSync: Abusing AD Replication

DCSync is not a vulnerability but the abuse of a legitimate feature. An attacker with sufficient privileges (typically Domain Admin or similar) mimics a Domain Controller (DC) to request password hashes from another DC.

Mechanism

Using the Directory Replication Service Remote Protocol (MS-DRSR), the attacker can pull the NTLM hash of any account, most importantly the krbtgt account hash, which is the foundation for further Kerberos attacks.

Investigation Path

• Network Level: Monitor for replication traffic originating from non-DC IP addresses.
• Log Level: Event ID 4662 (An operation was performed on an object) on a DC may indicate replication attempts if specific SACLs are configured.

---

2. Golden Ticket: The Ultimate TGT Forgery

A Golden Ticket is a forged Ticket Granting Ticket (TGT). To create it, the attacker needs the krbtgt account hash, obtained via DCSync or LSASS dump on a DC.

Impact and Capabilities

• Total Impersonation: Forging a TGT for any user (including Enterprise Admins).
• Long-term Persistence: Defining validity periods far exceeding the default (up to 10 years).
• DC Invisibility: The attacker presents the forged TGT directly to services without contacting the DC for the initial authentication.

Caution

Detection Strategy: This attack is nearly invisible in DC authentication logs. Detection relies on analyzing Event ID 4769 (Service Ticket Request). Look for service ticket requests based on a TGT that has no corresponding record in the DC’s initial authentication logs.

Remediation Procedure

1. Identify the Breach: Confirm the compromise of the Domain Controller.
2. First krbtgt Reset: Change the password of the krbtgt account. This invalidates current TGTs but allows for a transition period.
3. Second krbtgt Reset: Wait for replication (usually 24h) and reset the password a second time. This is mandatory to clear out the previous hash and fully invalidate all forged Golden Tickets.

---

3. Silver Ticket: Stealthy Service Forgery

A Silver Ticket is a forged Service Ticket (TGS). It targets a specific service on a specific server (e.g., CIFS on a file server).

• Requirement: Attacker needs the hash of the service account password.
• Forensic Challenge: Perfectly invisible to the DC. The authentication occurs solely between the attacker and the target server.
• Detection: Look for Event ID 4624 (Successful Logon) on the target server using Kerberos that cannot be correlated with a 4769 event on the DC.

---

4. Forensic Comparison Matrix

Attack Type	Target Component	Stealth Level	Key Evidence Source
DCSync	AD Replication	Medium	Network IDS / DC Event 4662
Golden Ticket	Kerberos TGT	High	DC Event 4769 (Anomaly)
Silver Ticket	Kerberos TGS	Critical	Member Server Event 4624

Centralized Logging

Ensure member server logs are forwarded to a SIEM. Silver tickets are only visible on the target endpoint.

Least Privilege

Strictly limit accounts with replication rights to prevent unauthorized DCSync execution.

---

References & Further Reading

• MITRE ATT&CK: Steal or Forge Kerberos Tickets (T1558)
• Microsoft: Active Directory Security Best Practices
• Related Analysis: Pass-the-Hash and Pass-the-Ticket Analysis